Folders with "write" permissions are a gold mind for hackers
regardless of server type.
777 on a shared host with php installed can be a true mess unless the
IT took a few extra steps when installing php. open_basedir can be
used to define where scripts can write to....set correctly, I can
write to mine, but not to yours. Many servers do not take the time to
do this. So if you and I were on the same poorly setup server, I
could write to your 777 folder from a script that resides in mine.
Exactly how a hacker that is not on the same ever exploits this, I
have no idea but chances are 775 hacks would follow a similar
process. Write permission on a Windows server with no php installed
is also a gold mine for hackers so it's not just a php security
issue. I'm not sure what changed with 2003 but that has proved to be
much safer for folders with write permissions than older versions but
even then, there are so many things like an unpatched FTP server, poor
firewall, open ports, unpatched SQL, etc than can give a hacker
access.
Much to my surprise I also got an email from an open source project
that I am using saying the same thing. They tried to pass it off as a
security hole that was fixed in an earlier version but after just
looking at a few sites this morning done with a version "just"
released, I found over 70% of those were down and only 1 of the last
version. Luckily, I hadn't installed the new version and I do not
allow for file uploads.
I also don't think this is really a defacing hack as a 404 php is
added to make it appear as though all the pages are no longer
available and fake 404's were quite common on some hacks ~9 months or
so ago that installed some kind of garbage (for the life of me, I
forget what the virus supposed to do other than the fact on most PC's
it failed)
I've asked anyone that still has the altered files to send me copies.
As of last night, I think most thought I was the hacker and got
"NO !". Hopefully now that I've found more sites, I can get a copy of
files from at least one but I would really love some from sites not
using this same project so I can see if they are in fact the same
thing.
On Aug 31, 7:20 pm, webado wrote:
> How are they getting access? Just because a folder is chmod 777
> doesn't mean you can access it from outside the website.
> On Aug 31, 4:47 pm, djc wrote:
> > The bot is a libwww bot....no big surprise there
> > On Aug 31, 3:43 pm, djc wrote:
> > > Today there are a number of attempts being reported toady that a bot
> > > is attempting to deface sites (777 and 775 folders)
> > > The bot will add/alter the htaccess and plant a php file where the
> > > file names appears to be a random number. No word yet on IPs but
> > > chances are they will turn out to be highjacked computers or servers.
> > > If I hear anything more, I'll let you know. I'll be intested to see
> > > what the php file does.- Hide quoted text -
> > - Show quoted text -- Hide quoted text -
> - Show quoted text -
